resolves#35673
## PR overview
Redis proxy users may want to create advanced authentication methods.
For example, the official [Azure SDK extension for
Redis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis)
allows to authenticate to a Redis server using Microsoft Entra ID
token-based authentication, by passing a token in the password argument
of the `AUTH` command periodically, based on token expiration.
This PR introduces a way to support external authentication via a gRPC
service with additional support for expiry of such authentication (e.g.
for token-based authentication).
This way we keep it extensible for **any** advanced authentication
methods users might want to develop.
### The reviewer may ask: Why not use the _ext_authz_ filter?
The cost/latency impact by using the _ext_authz_ filter is much bigger
than the proposed design. That's because instead of being called on
every request, the current design only calls the external dependency on
**AUTH** commands. Not only that, but also we would have to decode the
Redis protocol twice, if we used a separate filter.
---
Risk Level: Medium (small optional feature added to existing filter)
Testing: ✅
- Unit Tests
- Integration Tests
- Manual Testing
- Also, we are already using the signed _-dev_ build on a test AKS
cluster
Docs Changes: ✅
- Proto docs
- Updated authentication-related information on the Redis protocol page.
Release Notes: ✅
---------
Signed-off-by: Diogo Barbosa <diogobarbosa@microsoft.com>
Signed-off-by: Diogo Barbosa <pessoal.dbarbosa@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 67b69c9038402b88953a2ab171ae38cab5cb23ab
<!--
!!!ATTENTION!!!
If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
envoy-security@googlegroups.com where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.
!!!ATTENTION!!!
For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->
Commit Message: Adds the ability to set the hits_addend for a given
rate_limit request via a hardcoded dynamic metadata field:
envoy.ratelimit:hits_addend.
Additional Description:
Risk Level: Low
Testing: Added unit test. I have also manually tested this using
gloo-edge as the control-plane.
Docs Changes:
Release Notes:
Platform Specific Features: N/A
[Optional Runtime guard:] N/A
[Optional Fixes #Issue] N/A
[Optional Fixes commit #PR or SHA] N/A
[Optional Deprecated:] N/A
[Optional [API
Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):]
N/A
---------
Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
Signed-off-by: code <wbphub@gmail.com>
Co-authored-by: code <wbphub@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a474a30a1b9ecbfe1e9d1a5190ee8aef2b29041
* inplace change the ImmediateResponse::body type from string to bytes
per discussion this should be a safe swap for c++ Envoy
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
* add a unit test for non-utf8 body in extenal immediate response
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
---------
Signed-off-by: Xin Zhuang <stevenzzz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ ab4b6f70b283905d5fcb5ddb0b0be34562873b51
Signed-off-by: Adam Anderson <6754028+AdamEAnderson@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9a575d82a4186c8cf37ff3d7f0a7002dce412d7d
---------
Signed-off-by: Jacob Bohanon <jacob.bohanon@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 32dd29468e136392d31cc75acc3c296d3bf76eb9
Introduce the ability to send dynamic metadata in the External Processing Request. Also implements the API for returning dynamic metadata as part of the External Processing Response.
---------
Signed-off-by: Jacob Bohanon <jacob.bohanon@solo.io>
Mirrored from https://github.com/envoyproxy/envoy @ 8f95f9ec501febe91e3f7688a3f85e33a2052d7a
* rlqs: update and document failure mode behaviors
RLQS documentation updates intended to prevent memory exhaustion
caused by the number of tracked buckets.
- Changes the default behavior of unset
ExpiredAssignmentBehavior.expired_assignment_behavior_timeout from
"retain unlimited time" to "abandon immediately"
- Clarifies the retention policy for the buckets that never received
the initial assignment.
- Clarifies the implementation details for evicting buckets that
never received the initial assignment.
---------
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 487f57ddc4a1d47828a5c8ceee91a08a879fc6dd
The repo has been renamed from cncf/udpa to cncf/xds long time ago, this is just to reflect this in the bazel repo name.
Otherwise this is a noop.
Risk Level: Low
Testing: do_ci.sh
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f66bd34bf2060e71516456354202abb8ea23ba71
Add the ability to ext_authz that collect specified namespaces from route metadata, and propagate them to external auth service. #30252
The instruction of what namespace to select from route metadata, and the field in CheckRequest where the metadata context from route is filled are totally separate from those metadata context from connection or request.
Risk Level: Low
Testing: Unit tests
Signed-off-by: Yujian Zhao <zhaosukima@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b78796398528e6d9d5c60c24ab1f54bdc57db8e
This is to address issue: #28243
The value_bytes proto is added by #27865.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 8a2d9502638789b1d078f06f48b51918589a1f4a
* Turn ext_proc into API stable.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4e5031013746a0768e9a3065dbab08b70eaf3c05
* Fix ext_proc filter can not send non-utf8 character by gRPC
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9c6e75062ebdd8c8382c671662fb096569d9eaa9
This can help ext_proc server to extend the timeout value in case it needs more time to process a request in special situations like cold start a WASM module when receives the first request.
Risk level: Low
Testing: Integration tests.
Signed-off-by: Yanjun Xiang <yanjunxiang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f23c23e24264bfe0bf9453a071ec7040f79dc347
Generic services are deprecated since protoc version 2.4.0 (2010). Protoc plugins that generates code may require that generic services are disabled, so that they can generate their own classes of the same name.
Risk Level: Low
Fixes#25172
Signed-off-by: Sébastien CROCQUESEL <88554524+scrocquesel@users.noreply.github.com>
Mirrored from https://github.com/envoyproxy/envoy @ baec129464bba6e3651147a0d846e8c1f4610199
Sometimes when an application doesn't bind to localhost and the machine uses iptables for traffic redirection, HDS might need to override the source address for iptables to redirect traffic to the application instead of getting into the loop.
Risk Level: Low
Testing: small unit test configuration, upstream cluster tests binding functionality, manual testing
Docs Changes: API docs
Release Notes:
Platform Specific Features: no
Signed-off-by: Łukasz Dziedziak <lukidzi@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 74bef6aac36a45a2b8f1812dcd3e31c7eb46db3e
Signed-off-by: Sergii Tkachenko <sergiitk@google.com>
Co-authored-by: Yan Avlasov <yavlasov@google.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 259d76ef89bc008db6620497c424a3ca3fe97d88
I had been trying to figure out a good way to provide more internally-derived feedback from an *ext_proc* implementation to *envoy* (without needing to do things like set response headers or rely on a separate log file), and was led to the discovery that the `ImmediateResponse.Details` field actually populates `%RESPONSE_CODE_DETAILS%` for use in access logging.
Due to how much better this discovery made my life, I am hoping it will make other people's lives better as well.
Signed-off-by: Chet Nichols III <chet@apple.com>
Mirrored from https://github.com/envoyproxy/envoy @ e00aa66429181e3973cc69ca57c26da730cc47af
Remove the unnecessary file level 'not-implemented-hide' annotation. I found these annotations during the development of PR #18923 . But it seems that they should not have this annotation.
If this is a misunderstanding on my part, please close this PR.
Risk Level: Doc Only.
Testing: N/A.
Docs Changes: N/A.
Release Notes: N/A.
Signed-off-by: wbpcode <comems@msn.com>
Mirrored from https://github.com/envoyproxy/envoy @ e9203e9845611bedfabbce26ed7d72cd8a6c8c32
This should reduce the binary size, which is particularly important for Envoy Mobile. Looking at a
local opt build with debug symbols, I'm seeing a drop from ~400MB to ~380MB, so maybe 5% saving. @Reflejo indicates that optimized Envoy Mobile without symbols is observing ~20% improvement.
Related to #10943
Risk level: Low
Testing: bazel query deps to confirm no more v2 API deps.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 53fca618e47702f6c8dbc323db9bd39d15725457
This PR currently only implements query string modifications when using a gRPC authorization server.
Signed-off-by: John Esmet <john.esmet@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ c42a018d332920f3e523f1a0409b6056bd805853
update-envoy[bot]
data-plane-api(Azure Pipelines)